<?php

if(isset($_POST['btnSign'])) {

	$message = trim($_POST['mtxMessage']);
	$name    = trim($_POST['txtName']);

	// Sanitize message input
	$message = stripslashes($message);
	$message = mysql_real_escape_string($message);
	$message = htmlspecialchars($message);

	// Sanitize name input
	$name = stripslashes($name);
	$name = mysql_real_escape_string($name);

	/* Previnir ataques XSS com codificação UTF-7 */
	$name = htmlentities($name, ENT_QUOTES);

	$query = "INSERT INTO guestbook (comment,name) VALUES ('$message','$name');";

	$result = mysql_query($query) or die('<pre>' . mysql_error() . '</pre>' );
   
}

?>